Fortunately, due to some uncaught exception in the code, the trojan (SHA1: 0d2d3317c6ca1a9812d357741f45af6bb360d89c) doesn’t complete its malicious activities — it just crashes and terminates:

We’ve found over a hundred copies of the trojans, but the large number doesn’t make it technically advanced — the copies basically use the same source code, but just re-shuffled into different configurations for the different packages.

The trojans were found on third-party Android markets and targets users in Russia, Belarus, Kazakhstan and Azerbaijan.

Even though these trojans crash and fail, we are still detecting them due to the malicious routines, and also because of large number of copies circulating.